Maciej Stachowiak wrote:
On Aug 2, 2007, at 6:12 AM, Anne van Kesteren wrote:
On Tue, 31 Jul 2007 01:00:14 +0200, Maciej Stachowiak <[EMAIL PROTECTED]>
wrote:
I'm a little bit worried that if we enable scripts for XHR (they are
currently disabled in firefox) that sites would break. Though
chances are probably pretty small. However if scripts are enabled we
need to define exactly in which context they execute. Should they
have their own 'window'? If not 'window.document' would not refer to
their own document.
Yes, I'm not really sure if it's a good idea, but we should consider
the pros and cons of both options.
I tend to agree with Niklas Ã…kerlund that XMLHttpRequest is for
fetching a single resource (of data). If we'd execute scripts in that
resource per the HTML parser that would mean that other resources have
to be loaded as well. In my current copy of XMLHttpRequest level 2 I
have written that the parser should run with support for scripting
disabled for that reason. (I'll hope to check in a copy once I've
clearly marked outstanding issues, maybe later today.)
Does this mean that the following should also apply:
<link rel="stylesheet"> will not trigger stylesheet loads
<iframe> will not load the linked document
<img> will not load its image contents
The last is particularly tricky, since right now in browsers an HTML IMG
element always tries to load its image, even when not in a document.
Perhaps a good thing to test would be what thesese kinds of elements do
if you put them in an XML response in the XHTML namespace, for browsers
that support XHTML.
In mozilla we reject all loads of external objects originating from
documents loaded using XMLHttpRequest. That should cover all of the
above as well as <object>, <input type=image> and probably other things.
Additionally we turn off <script>s, all sorts of stylesheets and
javascript attributes such as onclick.
/ Jonas
